Data-usage Monitoring and Enforcement

Data-usage Monitoring and Enforcement

Status

This project started in November 2011 and is now closed.
It is part of an older and wider research stream in the Information Security group on Runtime Policy Monitoring and Enforcement.

Researchers

Prof. David Basin (Information Security Group, ETH)
Dr. Eugen Zalinescu (Information Security Group, ETH)
Dr. Felix Klaedtke (Information Security Group, ETH)
Matúš Harvan (Information Security Group, ETH)
Vincent Jugé (visiting ETH)
Germano Caronni (Google)

Description

Many kinds of digitally stored and processed data should only be used in restricted ways. The intended usage may be stipulated by government regulations, corporate privacy policies, preferences of the data owner, etc. An example of such a usage restriction is that “personal data must be deleted after 30 days, not forwarded to third parties, and used only for statistical purposes.” Such policies cover not only who may access which data, but also how the data may or may not be used after access. Monitoring and controlling such usage is a fundamental problem in the field of data protection and privacy.

In the past, we have designed policy languages for expressing privacy and related data-usage policies, given these languages a semantics based on temporal logics, and developed algorithms that monitor a stream of system events (online or from a log file) against such policy specifications.
In this project, we address the following main problems:

Our current algorithm for monitoring data usage can efficiently audit log files with millions of entries. How do we scale the monitoring to logs that have orders of magnitude more entries?
Monitoring compliance to privacy policies is a simpler problem than enforcing compliance, as for enforcement we not only need to detect violations but an enforcement mechanism must interact with a system and may carry out restraining or corrective actions. Which class of privacy policies (including those entailing obligations on future actions) are enforceable for a given notion of enforcement?

Privacy policies are typically formulated at high-levels of abstraction. In contrast, monitors observe system events that are low-level and concrete and may occur at different parts of the system stack (applications, middleware, operating system, etc.). How do we bridge the gap between these abstraction levels to build effective monitoring infrastructures?

Publications

David Basin, Vincent Jugé, Felix Klaedtke, and Eugen Zălinescu.
Enforceable security policies revisited.
In Proceedings of the 1st Conference on Principles of Security and
Trust (POST 2012). Lecture Notes in Computer Science, volume 7215, pages 309-328. Springer, 2012.

David Basin, Felix Klaedtke, Srdjan Marinovic, and Eugen Zalinescu.
Monitoring Compliance Policies over Incomplete and Disagreeing Logs.
In Proceedings of the 3rd Conference on Runtime Verification (RV 2012).
Lecture Notes in Computer Science, volume 7687, pages 151-167. Springer, 2013.

David Basin, Vincent Jugé, Felix Klaedtke, and Eugen Zălinescu.
Enforceable security policies revisited.
ACM Transactions on Information and System Security, Volume 16, Issue 1, 2013.

David Basin, Matus Harvan, Felix Klaedtke, and Eugen Zalinescu.
Monitoring Data Usage in Distributed Systems.
IEEE Transactions on Software Engineering.

David Basin, Felix Klaedtke, Srdjan Marinovic, and Eugen Zalinescu.
Monitoring of Temporal First-order Properties with Aggregations.
The 4th Conference on Runtime Verification (RV 2013).

Matus Harvan, David Basin, Germano Caronni, Sarah Ereth, Felix Klaedtke, Heiko Mantel.
Checking System Compliance by Slicing and Monitoring Logs.
Technical Report 791, ETH Zurich, Department of Computer Science, July 2013.

Software

MonPoly: A monitoring tool that checks compliance of log files with respect to policies. Policies are specified by formulas in metric first-order temporal logic.